SDR (Software-Defined Radio) refers to radio communication in which e.g. the transmitter modulation and coding, as well as the receiver demodulation and decoding is performed by software-controlled hardware. In a conventional software-defined radio communication terminal, e.g. a mobile phone/terminal, the ADC (Analogue-to-Digital Converter) for converting the analogue audio signal to digital data, the modulator for superimposing the digital data onto a radio-frequency carrier, as well as the demodulator and the DAC (Digital-to-Analogue Converter) may comprise software-controlled hardware circuits, firmware or FPGAs (Field Programmable Gate Arrays).
One advantage with software-defined radio is that different radio protocols may be implemented simply by running different software versions, thereby resulting in an increased flexibility and versatility, and new signal processing algorithms and coding schemes may be introduced in a mobile phone/terminal by a remote updating of the software.
OFDM (Orthogonal Frequency Division Multiplexing) is a digital multi-carrier modulation scheme that may be used in radio communication. In software-defined radio, the modulation may be performed by software, thereby introducing a drawback relating to the security, since a skilled and malicious user may be able to modify or replace the radio signal processing-software in order to access a service without a subscription, or to steal resources from other users. In frequency division schemes, such as e.g. in the above-mentioned OFDM, as well as in TDMA (Time Division Multiple Access) or CDMA (Code Division Multiple Access), a mobile terminal that is experiencing e.g. poor reception quality, a low bit-rate, or bit errors, may be assigned additional resources, e.g. more time-slots, higher transmit power, or a wider frequency range, in order to improve the QoS (Quality of Service). Within a RAN (Radio Access Network), the resource allocation is based on reports from the a mobile terminal, e.g. regarding how well/poor the terminal is able to hear a pilot tone from the RBSs (Radio Base Stations) within range, or regarding the number of lost/erroneous IP packets, and if a mobile terminal reports bad reception, the RAN may try to compensate for this by allocating more resources to this mobile terminal.
A user may modify the existing software in the mobile SDR terminal to e.g. always report bad reception or interference from another terminal, or to favor RBSs belonging to a certain operator or a certain access technology. Another possible modification of the software may encourage a change of cell, technology or service, or pretend lack of capabilities. This manipulation of the software may have the effect that more resources are allocated to a user, that other users are not granted access, that the transmission power is too high and causes interference, or that undesired hand-over decisions are taken.
For example, a user receiving an audio- or video service, allowing bit-errors, may report a too low reception quality in order to be assigned more radio resources, which will result in less radio resources being allocated to the other users. Since a modern RAN performs predictions and optimizations based on reports from the mobile terminals, false information will give the network operator a wrong picture of the overall link status. Therefore, it is important to prevent and/or detect any modification and replacement of the code in a software-defined radio communication terminal, i.e. to provide a so-called integrity protection of the software. Integrity protection of a message transmitted from a sending node to a receiving node is normally implemented by an integrity protection key, Rk, which is known to both the sending node and to the receiving node. Conventionally, a message is integrity protected by the sending node, which computes a message authenticating code, or checksum, based on the message to be sent and on said integrity protection key, Rk, and transmits the message together with said computed checksum. The receiving node will integrity check the received message by, in turn, computing a message authenticating checksum based on the received message and on said integrity protection key, Rk, and compare the computed authenticating checksum with the received authenticating checksum. Only if said computed checksum corresponds to the received checksum, appended to the message, the received message is determined to be authentic and un-modified.
In the present 3G-standard, the RRC—(Radio Resource Control)-signalling is integrity protected by an integrity protecting key, Ik, derived from the USIM-card (Universal Subscriber Identity Module) during a user/subscriber authentication procedure known as AKA (Authentication and Key Agreement). However, this key only provides assurance that a USIM is present, not that the USIM-card is operating with a correct terminal.
Another known method to provide authentication of a terminal is the DRM (Digital Rights Management)-concept, in which the content provider checks that a terminal is provided with a mechanism for copy-protection, e.g. a DRM module, before transferring the content to the terminal. However, this authentication only takes place before the transmission of the data content to the terminal, and no integrity check is performed of a DRM module once provided in the terminal. This means that a skilled user may still be able to modify the terminal and the software after the reception of the content, thereby potentially violating the content usage rules.
A remotely upgraded software may comprise viruses and other mal-ware, and it is known to integrity protect remote (e.g. over-the-air) updates by signing of the software code. However, this only authenticates a code that is distributed from the correct source, and only at the time of the install.
The TCG (Trusted Computing Group) is a consortium that has developed specifications for a so-called TPM (Trusted Platform Module), which may be implemented as a hardware chip for a personal computer and is capable of providing reliable software information to the operating system or an external entity regarding the software of the platform on which it resides. A TPM may perform various security functions, including cryptographic functions and protected hardware-based key and data storage, comprising integrity measurements, storage and reporting of the platform configuration. The integrity measurements collects information representing some data or program code, and the measured entities may relate to hardware or software involved in the execution sequence on the platform, e.g. the BIOS, the boot loader code, the operating system kernel or the application code, such as the SDR (Software-Defined Radio)-code. In a terminal provided with a TPM, it is possible to authenticate a software code each time it is loaded into a memory, thereby offering an improved protection. However, this is normally not performed on-line while the code is running, since this would degrade the performance, and therefore a skilled user may replace the code after the authentication. Even if a request for a “configuration integrity measurement” is made at a later moment, the integrity can only be assured for this particular moment, and not continuously repeated or periodic.
Thus, a TPM is not capable of providing a continuous or periodic on-line verification of software, except without a significantly degraded performance.